NemoClaw Security Controls, Risks, and Posture Profiles
NemoClaw ships with deny-by-default security controls across five layers: network, filesystem, process, gateway authentication, and inference. You can tune every control, but each change shifts the risk profile. This page documents each configurable control, its default, what it protects, the concrete risk of relaxing it, and a recommendation for common use cases.
For background on how the layers fit together, refer to How It Works.
OpenShell enforces the platform-level mechanisms that NemoClaw configures, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication. For the full platform-level controls reference, refer to OpenShell Security Best Practices.
Protection Layers at a Glance
NemoClaw enforces security at five layers. NemoClaw locks some controls when it creates the sandbox and requires a restart to change them. You can hot-reload others while the sandbox runs.
The following diagram shows the default posture immediately after onboarding, before you approve any endpoints or apply any presets.
Network Controls
NemoClaw controls which hosts, ports, and HTTP methods the sandbox can reach, and lets you approve or deny requests in real time. Network policy allowlists do not disable OpenShellโs SSRF guard, so internal-address blocking remains active even when an endpoint matches an egress rule.
OpenShell provides additional network enforcement mechanisms not covered here, including network namespace isolation, SSRF protection, TLS auto-detection and termination, and audit-vs-enforce modes. Refer to the Network Controls section of the OpenShell Security Best Practices.
Deny-by-Default Egress
The sandbox blocks all outbound connections unless you explicitly list the endpoint in the applicable baseline policy files.
Credential Discovery Boundaries
Credential probes are active network behavior, not harmless fallback checks. NemoClaw allows a credential source only in the process that is intended to hold those credentials and can reach that source.
Network policy remains a second enforcement layer, not a substitute for disabling an impossible credential provider. Adding support for a new metadata-backed source requires a separately designed broker and explicit credential-boundary review.
Hermes Managed Inference Credential Discovery
NemoClaw configures Hermes with a custom provider through inference.local, and the shipped Hermes image does not install the optional native Bedrock dependency.
AWS credential discovery for supported Bedrock inference therefore remains in NemoClawโs host-local adapter, outside the sandbox.
If direct Hermes Bedrock support is added later, it must apply the same unavailable-metadata rule and include Hermes-specific credential-probe acceptance tests before it is enabled.
Binary-Scoped Endpoint Rules
Each network policy entry uses the binaries field to restrict which executables can reach the endpoint.
OpenShell identifies the calling binary by reading /proc/<pid>/exe (the kernel-trusted executable path, not argv[0]), walking the process tree for ancestor binaries, and computing a SHA256 hash of each binary on first use.
If someone replaces a binary while the sandbox runs, the hash mismatch immediately denies the request.
Path-Scoped HTTP Rules
Endpoint rules restrict allowed HTTP methods and URL paths.
L4-Only vs L7 Inspection (protocol Field)
All sandbox egress goes through OpenShellโs CONNECT proxy.
The protocol field on an endpoint controls whether the proxy also inspects individual HTTP requests inside the tunnel.
Operator Approval Flow
When the agent reaches an unlisted endpoint, OpenShell blocks the request and prompts you in the TUI.
Policy Presets
NemoClaw ships preset policy files in nemoclaw-blueprint/policies/presets/ for common integrations.
Apply presets only when the agentโs task requires the integration. Review the presetโs YAML file before applying to understand the endpoints, methods, and binary restrictions it adds.
Web Search Credential Rewriting
NemoClaw registers each selected web search credential in a sandbox-scoped OpenShell provider and writes a resolver placeholder into the agent configuration.
Hermes sends the Tavily placeholder in the JSON api_key field, so the tavily policy preset enables request_body_credential_rewrite for api.tavily.com.
OpenShell replaces these placeholders only when the request reaches the matching egress policy path.
The raw TAVILY_API_KEY is not written into the sandbox configuration.
The tavily preset restricts agent egress to the maintained Python and Node.js paths used by the supported agents.
Its exact curl paths are used only by onboardingโs post-create verifier.
Do not replace these paths with a broad /** binary rule.
Broader binary access would let unrelated sandbox processes send data to Tavily through the same allowed endpoint.
Filesystem Controls
NemoClaw restricts which paths the agent can read and write, protecting system binaries, configuration files, and gateway credentials.
OpenShell covers additional filesystem enforcement details, including hard_requirement compatibility mode for Landlock and policy path validation rules.
Refer to the Filesystem Controls section of the OpenShell Security Best Practices.
Read-Only System Paths
The container mounts system directories read-only to prevent the agent from modifying binaries, libraries, or configuration files.
Agent Config Directory
The /sandbox/.hermes directory contains Hermes runtime configuration, generated environment settings, logs, platform state, and durable database state.
NemoClaw writes config.yaml and .env during onboarding and rebuilds.
Direct edits to these files can be overwritten when NemoClaw regenerates the image.
Hermes also stores runtime state such as state.db, logs, and platform sessions under the .hermes tree.
Messaging sessions such as WhatsApp pairing can remain mutable by design so they survive rebuilds.
Writable Paths
The agent has read-write access to /sandbox, /tmp, /dev/null, and /dev/pts.
Landlock LSM Enforcement
Landlock is a Linux Security Module that enforces filesystem access rules at the kernel level.
Process Controls
NemoClaw limits the capabilities, user privileges, and resource quotas available to processes inside the sandbox.
OpenShell enforces additional process-level controls not covered here, including seccomp BPF socket domain filters and a specific enforcement application order (namespace entry, privilege drop, Landlock, seccomp). Refer to the Process Controls section of the OpenShell Security Best Practices.
Capability Drops
The entrypoint drops dangerous Linux capabilities from the bounding set at startup using capsh.
This limits what capabilities any child process (gateway, sandbox, agent) can ever acquire.
When the entrypoint switches from root to the sandbox and gateway users, it uses setpriv when available to remove the remaining privilege-separation capabilities from the child process at the same time as the user change.
The initial entrypoint drop removes cap_sys_admin, cap_sys_ptrace, cap_net_raw, cap_dac_override, cap_sys_chroot, cap_fsetid, cap_setfcap, cap_mknod, cap_audit_write, and cap_net_bind_service.
During setpriv step-down, the child process also loses cap_setuid, cap_setgid, cap_fowner, cap_chown, and cap_kill.
This behavior is best effort.
If capsh is not available or CAP_SETPCAP is not in the bounding set, the entrypoint logs a warning and continues with the default capability set.
If setpriv is unavailable, the entrypoint falls back to gosu and logs a warning that the remaining bounding-set capabilities were retained for the child process.
To make the drop fail-closed instead of best-effort, set NEMOCLAW_REQUIRE_CAP_DROP=1 in the entrypoint environment.
The agent then refuses to start unless it verifies that the agent process treeโs bounding set is free of dangerous capabilities.
It does not boot on a host whose bounding set still holds them, typically one that cannot perform the drop because CAP_SETPCAP or capsh is missing and the container runtime did not provide a clean bounding set.
This is opt-in because such hosts are common, including many cloud VMs, Docker Desktop, and WSL.
Leaving it unset preserves the best-effort default.
The check covers the agent process tree only.
The container runtime spawns a nemohermes connect shell outside that tree, so the check does not affect it (tracked in NVIDIA/OpenShell#1452).
Gateway Process Isolation
Gateway and agent UID isolation depends on the container process topology.
A direct root-entrypoint container runs the gateway as the separate gateway user and the agent as the sandbox user.
An OpenShell-managed container has OpenShell as PID 1 and launches nonroot nemoclaw-start, so the supervisor, gateway, and agent all use the sandbox UID.
No New Privileges
The no-new-privileges flag prevents processes from gaining additional privileges through setuid binaries or capability inheritance.
Process Limit
A process limit caps the number of processes the sandbox user can spawn.
The entrypoint sets both soft and hard limits using ulimit -u 512.
This behavior is best effort.
If the container runtime restricts ulimit modification, the entrypoint logs a security warning and continues without the limit.
Open File Descriptor Limit
An open file descriptor limit caps the number of files, sockets, and pipes the sandbox user can hold open at once.
The entrypoint sets both soft and hard limits using ulimit -n 65536.
This behavior is best effort.
If the container runtime restricts ulimit modification, the entrypoint logs a security warning and continues without the limit.
Non-Root User
The sandbox runs agent processes as a dedicated sandbox user and group.
The entrypoint starts as root for privilege separation, then drops to the sandbox user for all agent commands.
PATH Hardening
The entrypoint locks the PATH environment variable to system directories, preventing the agent from injecting malicious binaries into command resolution.
Build Toolchain Removal
The Dockerfile removes compilers and network probes from the runtime image.
Image Digest Pinning
The blueprint references the sandbox image by an immutable @sha256: digest instead of a mutable tag such as :latest.
A registry compromise or accidental force-push cannot silently swap the sandbox image.
Gateway Authentication Controls
Hermes exposes an OpenAI-compatible API on the forwarded Hermes port and can optionally expose the native Hermes dashboard.
Do not publish those endpoints on shared or public networks unless you put them behind your own access controls.
NemoClaw still keeps provider credentials in OpenShell and routes model traffic through inference.local.
Generated Hermes runtime files use OpenShell resolver placeholders for managed-tool and messaging credentials.
Hermes startup rejects raw secret-shaped values in sandbox-visible environment or config fields, while allowing empty values, migration sentinels, OpenShell resolver placeholders, and expected Slack placeholder forms.
CLI Secret Redaction
The CLI automatically redacts secret patterns (API keys, bearer tokens, provider credentials) from command output and error messages before logging them.
Memory Secret Scanner
Hermes does not use the OpenClaw NemoClaw plugin memory scanner. Keep secrets in environment variables or OpenShell providers, and avoid writing raw credentials to Hermes state files or workspace content.
Inference Controls
OpenShell routes all inference traffic through the gateway to isolate provider credentials from the sandbox.
Routed Inference through inference.local
The OpenShell gateway intercepts all inference requests from the agent and routes them to the configured provider. The agent never receives the provider API key.
Provider Trust Tiers
Different inference providers have different trust and cost profiles.
For sensitive workloads, use local Ollama to keep data on-premise. For general use, NVIDIA Endpoints provide a balance of capability and trust. Review the data policies of any cloud provider you use.
Experimental Providers
The NEMOCLAW_EXPERIMENTAL=1 environment variable gates local NVIDIA NIM and generic Linux managed vLLM install/start.
DGX Spark and DGX Station managed vLLM entries appear by default.
An already-running vLLM server on localhost:8000 also appears in the menu without a flag because selecting it is an explicit user action.
Posture Profiles
The following profiles describe how to configure NemoClaw for different use cases. These are not separate policy files. They provide guidance on which controls to keep tight or relax.
Locked-Down (Default)
Use for always-on assistants with minimal external access.
- Keep all defaults and do not add presets.
- Use operator approval for any endpoint the agent requests.
- Use NVIDIA Endpoints or local Ollama for inference.
- Monitor the TUI for unexpected network requests.
Development
Use when the agent needs package registries, Docker Hub, or broader GitHub access during development tasks.
- Apply the
pypiandnpmpresets for package installation. - Keep binary restrictions on all presets.
- Review the agentโs network activity periodically with
openshell term. - Use operator approval for any endpoint not covered by a preset.
Integration Testing
Use when the agent talks to internal APIs or third-party services during testing.
- Add custom endpoint entries with tight path and method restrictions.
- Use
protocol: restfor all HTTP APIs to maintain inspection. - Use operator approval for unknown endpoints during test runs.
- Review and clean up the baseline policy after testing by removing endpoints that are no longer needed.
Common Mistakes
The following patterns weaken security without providing meaningful benefit.
Known Limitations
Related Topics
-
Network Policies for the full baseline policy reference.
-
Customize the Network Policy for static and dynamic policy changes.
-
Approve or Deny Network Requests for the operator approval flow.
-
Choose an Inference Provider for provider configuration details.
-
How It Works for the protection layer architecture.
-
OpenShell Security Best Practices for the platform-level controls reference, including network namespace isolation, seccomp filters, SSRF protection, TLS termination, and gateway authentication.